Security experts are suggesting that the attacker(s) are fluent in Persian because the communications tools used in the campaign are written in Persian.

“It's for sure somebody who is fluent in Persian, but we don't know the origin of those guys,” Seculert Chief Technology Officer Aviv Raff told the press.

So far the threat has managed to infect infrastructures and computers of companies, engineering students, financial services firms, government embassies in the Middle East—the majority of the infections are in Iran.

The goal of the campaign is still under investigation, but experts have reported that gigabytes of data have been uploaded. Furthermore, the ongoing Mahdi threat suggests that the campaign is a part of something bigger.

“Somebody is trying to build a dossier of a larger scale on something. We don’t know what they are going to do at the end,” said Aviv.